среда, 4 мая 2016 г.

CANToolz: ISO-TP and DIFF updates

Want to summarize all updates and features in CANToolz that help us to understand CAN network of vehicles.

First of all I have ported CANToolz to Python 3.x, and have added CANSocket support. So new module hw_CANSocket working with CAN device over CAN Socket. Simple and cool.

Another thing that was improved: UDS service detection and ISO TP detection methods in mod_stat. Anton Sysoev have reported that this module does some mistakes in ISO-TP detection, because on his VW all ISO-TP messages have padding to 8 bytes! So I have improved mod_stat it is now can detect padding in ISO-TP messages. Also padding feature was added to gen_ping so it is possible to generate messages with chosen padding. And as example of how it works, you can see how Anton can sniff traffic between VAG and his car's OBDII to understand which UDS services are used (and how):

This is dump of the traffic between VAG and VW. Here we can see, that two devices are talking with each other, and padding here '0x55' in requests and '0xAA' in responses. Also you can see that ID of UDS response is equal request's ID + 0x6A (not 0x8 as we are using by default). We need to change this parameter in 'UDS shift value' and then we can try to analyze traffic:

Wow! It works. Thx Andrey for testing this on your car and for feedback and advises. So here we can see that CANToolz can re-assemble ISO-TP messages and find UDS services! Yes, you can see here ERROR in 'security access', but this is because VW uses unknown (not default?) sub-commands, which CANToolz do not understand by default. But anyway we were able to get CHALLANGE and RESPONSE in security access, and looks like there is another problem, but it is out of our topic and may be Andrey will discover what he has found later. So here I am happy just because in general my UDS detection works verygood. We could do more and find how to enable and disable this feature in ECU and then we can do the same action from CANToolz, without VAG anymore. But this is another story...

One more important update related to DIFF mode. Now it is more functional and useful! And again let's see this features on real example provided by @Z0ha4. He has a BMW car, and he also preparing it for Hardware Village Russia. And now he is going to use DIFF feature of CANToolz to find useful control messages in CAN. He will tell more about this on PHDays, but I want to tell you about CANtoolz DIFF mode which has been changed a little bit. Now it supports multiply buffers, so you can name them and dump traffic into them separately, later you can do DIFFs between those buffers and dump them or dump just diffs. For that use command "Switch sniffing to a new buffer", and you can give name for this buffer. In general you need a white-noise traffic as general set (with this set where we have no actions you will do all diffs to find actions in other sets). Just start car, and dump CAN traffic for one minute. Then stop mod_stat and use "Switch sniffing to a new buffer" to create a new buffer. You can name it if you want, for example like that: "Windows Down/Up action". Then activate mod_stat and do these actions in the car. Just after that you can stop mod_stat and think about next actions. Then repeat: create buffer, activate mod_stat, do an action, disable mod_stat (or stop sniffing, because we do not need noisy frames in those buffers). After that you will have some buffers with all actions:

You can do DIFF between any two buffers by using its index (or by default last two buffers will be compared). Here we are trying to find windows action's CAN frames:

We are using "Print Diff between two buffers (new ID only)" to find only frames with ID that not sniffed in "white-noise" buffer. And frames with ID 0xFA looks exactly like what we are looking for. Of course we can dump this diff and do a replay.. or do something else but let me show you another simple thing that can help us to validate our guess: searching by ID. Yes, simple search. Let's do a search for this ID (0xFA) in all buffers:

And as result we can see, that this ID (0xFA) found only in dump related to car's window's action. Also low value of the ID tell us that it looks like what we want. Later we can find which frames related to up or down action and what bits means what, but this is later work and we will cover this later.

And once again I want to thanks all Hardware Village community for feedback about CANToolz and good advises. All these examples done by them just for fun and because they are enthusiasts! So I can improve CANToolz because of community help and that is great. Anyway for last 3 month (this tool is very young, as you can see) we have >200 commits and new awesome features will be added soon! Yes, maybe Front-End/GUI part not so awesome and we have lack of documentation, but anyway I found this project very useful not only for fun and CarHacking, but for OEM/Vendor internal tests and automation (security) and we will talk about this later, for sure.